Context-Sensitive Confidentiality within Federated Environments

ABSTRACT

Techniques are disclosed for achieving context-sensitive confidentiality within a federated environment for which content is aggregated in a distributed Web portal (or similar aggregation framework), ensuring that message portions that should be confidential are confidential to all entities in the federated environment except those entities to which the message portions may properly be divulged. The federation may comprise an arbitrary number of autonomous security domains, and these security domains may have independent trust models and authentication services. Using the disclosed techniques, messages can be routed securely within a cross-domain federation (irrespective of routing paths), thereby ensuring that confidential information is not exposed to unintended third parties and that critical information is not tampered with while in transit between security domains. Preferred embodiments leverage Web services techniques and a number of industry standards.

RELATED INVENTION

The present invention is related to commonly-assigned U.S. Pat. No.7,346,923 (Ser. No. 10/719,490, filed Nov. 21, 2003), which is titled“Federated Identity Management within a Distributed Portal Server”. Thiscommonly-assigned invention is referred to herein as “the relatedinvention” and is hereby incorporated herein by reference.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention relates to computer software, and deals moreparticularly with techniques for achieving context-sensitiveconfidentiality within a federated environment for which content isaggregated in a distributed Web portal (or similar aggregationframework).

2. Description of the Related Art

Web portals (sometimes referred to equivalently as portal platforms,portal systems, or portal servers) are designed to serve as a gateway,or focal point, for access to an aggregation or collection ofinformation and applications from many different sources. Portals oftenprovide an end user view, commonly referred to as a “portal page”. Aportal page is often structured as a single overview-style page (whichmay provide links for the user to navigate to more detailedinformation). Alternatively, portal pages may be designed using anotebook paradigm whereby multiple pages are available to the user uponselecting a tab for that page. (Other frameworks which aggregate contentand/or services may have characteristics analogous to those of a portal.The term “portal”, as used herein, is intended to include such otheraggregation frameworks.)

In addition to providing for content delivery to end users, Web portalsare increasingly used as gateways to so-called “Web services” (i.e.,network-accessible services) for distributed computing. Web services area rapidly emerging technology for distributed application integration ina distributing computing environment such as the Internet. In general, a“Web service” is an interface that describes a collection ofnetwork-accessible operations. Web services fulfill a specific task or aset of tasks, and may work with one or more other Web services in aninteroperable manner to carry out their part of a complex workflow or abusiness transaction. For example, completing a complex purchase ordertransaction may require automated interaction between an order placementservice (i.e., order placement software) at the ordering business and anorder fulfillment service at one or more of its business partners.

With Web services, distributed network access to software becomes widelyavailable for program-to-program operation, without requiringintervention from humans. Web services are generally structured using amodel in which an enterprise providing network-accessible servicespublishes the services to a network-accessible registry, and otherenterprises needing services (or human beings searching fornetwork-accessible services) are able to query the registry to learn ofthe services' availability. (Hereinafter, references to an entity oruser making use of Web services are intended to include programmaticentities as well as human beings.) The participants in this computingmodel are commonly referred to as (1) service providers, (2) servicerequesters, and (3) service brokers. These participants, and thefundamental operations involved with exchanging messages between them,are illustrated in FIG. 1. The service providers 100 are the entitieshaving services available, and the registry to which these services arepublished 110 is maintained by a service broker 120. The servicerequesters 150 are the entities needing services and querying 140 theservice broker's registry. When a desired service is found using theregistry, the service requester binds 130 to the located serviceprovider in order to use the service. These operations are designed tooccur programmatically, without requiring human intervention, such thata service requester can search for a particular service and make use ofthat service dynamically, at run-time. The Web services model istheoretically available for any type of computing application.

Web services allow applications and services (referred to hereinafter asservices for ease of reference) to interact with one another usingWeb-based standards. A number of standards are being promulgated in theWeb services arena as the problems inherent in that environment becomebetter understood. A complete discussion of these protocols is beyondthe scope of the present discussion, but basic protocols on which Webservices work is being built include HTTP (“Hypertext TransferProtocol”), SOAP (“Simple Object Access Protocol”), and WSDL (“WebServices Description Language”). HTTP is commonly used to exchangemessages over TCP/IP (“Transmission Control Protocol/Internet Protocol”)networks such as the Internet. SOAP is an XML (“Extensible MarkupLanguage”) based protocol used to send messages for invoking methods ina distributed environment. WSDL is an XML format for describingdistributed network services.

For more information on SOAP, refer to “Simple Object Access Protocol(SOAP) 1.1, W3C Note 8 May 2000”, which is available from the World WideWeb Consortium, or “W3C”. The WSDL specification is titled “Web ServicesDescription Language (WSDL) 1.1, W3C Note 15 Mar. 2001”, and is alsoavailable from the W3C. HTTP is described in Request For Comments(“RFC”) 2616 from the Internet Engineering Task Force, titled “HypertextTransfer Protocol—HTTP/1.1” (June 1999). It should be noted thatreferences herein to “HTTP” are intended in a generic sense to refer toHTTP-like functions. Some Web services operations, for example, requireHTTPS instead of HTTP, where HTTPS is a security-enhanced version ofHTTP.

The goal of Web services is to provide service requesters withtransparent access to program components which may reside in one or moreremote locations, even though those components might run on differentoperating systems and/or be written in different programming languagesthan those of the requester.

A federation within a Web services context relates to collaborationamong loosely-coupled and complementary Web services across securitydomains. For example, suppose employees from two companies would like tomeet with one another, and that the two companies have differentautomated calendar/meeting services, each of which providescomplementary functionality (e.g., by managing employee's schedules).Federating these complementary services would allow the independentcalendar services to exchange application information, enabling theemployees to establish the joint meeting using their respective calendarservices.

While support for Web services and portals in federated environmentscontinues to make great progress, areas remain where improvements can bemade.

SUMMARY OF THE INVENTION

An object of the present invention is to provide context-sensitiveconfidentiality within a federated environment.

Another object of the present invention is to provide context-sensitiveconfidentiality in an environment that leverages a distributed Webportal for aggregating a plurality of views or services.

A further object of the present invention is to define techniques forsecurely transmitting messages within a federation that spans multipletrust models, where one or more intermediaries along a particularmessage path may need access to security-sensitive portions of atransmitted message.

Yet another object of the present invention is to provide techniqueswhereby security-sensitive information transmitted with a message can beselectively disclosed to entities that are authorized to access thatinformation.

Still another object of the present invention is to define techniqueswhereby a message can carry security-sensitive information for multipleintended receivers, such that each intended receiver can access only thesecurity-sensitive information specifically intended for that receiver.

Other objects and advantages of the present invention will be set forthin part in the description and in the drawings which follow and, inpart, will be obvious from the description or may be learned by practiceof the invention.

To achieve the foregoing objects, and in accordance with the purpose ofthe invention as broadly described herein, the present invention may beprovided as methods, systems, and/or computer program products. In oneaspect, techniques are providing for achieving context-sensitiveconfidentiality in a federated environment, further comprising:determining a network route to be taken by a message to be transmittedin the federated environment; determining, prior to transmitting themessage over the network route, a plurality of nodes to be encounteredon the determined route; at least one portion of the message that issecurity-sensitive; and, for each of the nodes and each of thesecurity-sensitive portions, whether the node is entitled to access thesecurity-sensitive portion; selectively protecting, in the message priorto transmitting the message over the network route, each of the at leastone security-sensitive portion of the message for each distinct one ofthe nodes which is entitled to access the security-sensitive portion;creating a message receiver element for each of theselectively-protected at least one portion of the message and eachdistinct one of the nodes which is entitled to access theselectively-protected portion, the message receiver element identifyingthe node and providing a node-specific keyword corresponding to thenode; and transmitting the message on the determined network route, themessage receiver elements enabling each of the nodes to locate andaccess each security-sensitive portion which the node is entitled toaccess and preventing the node from accessing any security-sensitiveportion which the node is not entitled to access.

The selective protection preferably further comprises encrypting atleast one security-sensitive portion of the message and/or computing adigital signature over at least one security-sensitive portion of themessage.

Policy may be consulted when determining the route to be taken for themessage. Policy may also, or alternatively, be consulted whendetermining the access rights for the nodes to be encountered.

A role of at least one of the nodes to be encountered may be determined,and determining the access rights may then further comprise consultingpolicy for each determined role, wherein the policy specifies accessrights for that role.

The selective protection is preferably provided by encrypting eachsecurity-sensitive portion of the message for each node and/or rolewhich is entitled to access that portion. Public keys associated witheach of the nodes/roles are preferably used for the encrypting.

Optionally, the determined route may be specified in the transmittedmessage.

The network route may cross a plurality of security domains in thefederated environment. The transmitted message may further containinformation identifying an authentication authority from a first of thesecurity domains and an identification of a sender of the message, andmay indicate that this authentication authority has alreadyauthenticated the sender using security credentials thereof, such thatnodes receiving the message in other ones of the security domains canbypass authentication of the sender , upon verifying authenticity of theauthentication authority and establishing that the authenticationauthority vouches for the message. Preferably, the authenticationauthority is determined to vouch for the received message if a digitalsignature computed by the authentication authority and transmitted withthe message is determined, by the node receiving the message in the oneof the other security domains, to be valid. The transmitted message maycontain security credentials of the sender, where those securitycredentials have been authenticated by the identified authenticationauthority and are protected such that only authorized ones of the nodesreceiving the message in other ones of the security domains can accessthe protected security credentials. Preferably, the protected securitycredentials are encrypted using a public key of each of the authorizedones of the nodes receiving the message, such that each of theauthorized ones can decrypt the protected security credentials using acorresponding private key.

The present invention may also or alternatively be deployed as one ormore services for ensuring context-sensitive confidentiality of messagestransmitted within a federated environment. As one example, a messageconfidentiality service may be provided for securely transmittingmessages in a federated environment, and this service may comprise:determining a network route to be taken by a message to be transmittedin the federated environment; determining, prior to transmitting themessage over the network route, a plurality of nodes to be encounteredon the determined route; at least one portion of the message that issecurity-sensitive; and, for each of the nodes and each of thesecurity-sensitive portions, whether the node is entitled to access thesecurity-sensitive portion; selectively protecting, in the message priorto transmitting the message over the network route, each of the at leastone security-sensitive portion of the message for each distinct one ofthe nodes which is entitled to access the security-sensitive portion;creating a message receiver element for each of theselectively-protected at least one portion of the message and eachdistinct one of the nodes which is entitled to access theselectively-protected portion, the message receiver element identifyingthe node and providing a node-specific keyword corresponding to thenode; and transmitting the message on the determined network route, themessage receiver elements enabling each of the nodes to locate andaccess each security-sensitive portion which the node is entitled toaccess and preventing the node from accessing any security-sensitiveportion which the node is not entitled to access. . A fee may be chargedfor performing the service. Optionally, the service may further compriseapplying the determined protections to the security-sensitive portions.

The present invention will now be described with reference to thefollowing drawings, in which like reference numbers denote the sameelement throughout.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 provides a diagram illustrating participants and operations of aservice-oriented architecture in which Web services are deployed,according to the prior art;

FIG. 2 illustrates components of that may be involved when aconfidential message is transmitted among participants in a federatedenvironment;

FIG. 3 shows a generalized routing path between a message sender and anultimate message receiver, as well as several intermediaries along thepath that may need access to at least some security-sensitive portion ofthe message, and is used to describe operation of preferred embodiments;

FIG. 4 provides a flowchart depicting logic that may be used toimplement an embodiment of the present invention;

FIG. 5 illustrates a sample message header that may be included in atransmitted message to convey message routing information; and

FIG. 6 shows sample message contents of the type that may be transmittedby an embodiment of the present invention, illustrating encryption ofsecurity-sensitive information for intended receivers to be encounteredalong the message path to the ultimate message receiver.

DESCRIPTION OF PREFERRED EMBODIMENTS

The present invention discloses techniques for achievingcontext-sensitive confidentiality within a federated environment. Asused herein, the term “context-sensitive confidentiality” comprisesensuring that message portions that should be confidential areconfidential to all entities in the federated environment except thoseentities to which the message portions may properly be divulged. Thefederation may comprise an arbitrary number of autonomous securitydomains, and these security domains may have independent trust modelsand authentication services. Using the disclosed techniques, messagescan be routed securely within a cross-domain environment, therebyensuring that confidential information is not exposed to unintendedthird parties and that critical information is not tampered with whilein transit between security domains. Preferred embodiments leverage Webservices techniques and a number of industry standards.

The related invention disclosed techniques for managing identitiesacross autonomous security domains which may be comprised of independenttrust models, authentication services, and user enrollment services(and, optionally, authorization services). Using techniques disclosedtherein, a set of credentials is obtained for a user (whether a humanuser or a programmatic entity) accessing an aggregation point-of-contact(such as a portal interface provided by a distributed portal platform).Those credentials are then authenticated for use in the local securitydomain. By consulting policy information, other security domains forwhich the user must be authenticated are determined. (Policy informationmay be created, for example, by a systems administrator for the localsecurity domain.)

As an example, suppose the user will access an aggregated viewcomprising views of three services, each of which requiresauthentication. A first service might provide a view of this user'semployee benefits, while a second provides a view of the user's bankaccount information and a third provides a view of the user's stockportfolio. Further suppose that each service is deployed in a distinctsecurity domain, and that the employee benefits service is provided bythe local security domain (as may be the case when the user accesses theaggregated view while at work). In this example, policy informationpreferably identifies trust components that are responsible forcoordinating authentication in each of the security domains. These trustcomponents are referred to in the related invention as “trust proxies”.(In preferred embodiments of the related invention and the presentinvention, a trust proxy is preferably deployed as a Web service thatmanages trust relationships and routes authentication-related messagesbetween federation participants.)

Thus, according to the related invention, once the local trust proxydetermines that the user is authenticated for the local security domain,this local trust proxy passes information pertaining to the user'sauthenticated credentials to the trust proxy for each of the remotesecurity domains. Credential mapping operations are then carried out inthe remote security domains to determine the user's local credentialsfor each of the remote security domains. For example, the user mighthave a user identifier (“user ID”) of “Employee1234” in the localdomain; a user ID of “Account5678” in the banking domain; and a user IDof “Portfolio543” in the stock portfolio domain, where all of theseidentifiers belong to the same user. Different underlying securitytechniques may be used in the different security domains as well.Credential mapping eliminates the need for the user to provide each ofthese different user IDs (and their corresponding password) to theaggregation point, and allows each security domain to carry out its ownsecurity techniques to authenticate the user with the user credentialswhich have been established for that security domain.

Authentication results within each domain are passed to the appropriateservice deployed within that domain (e.g., informing the bank accountservice as to whether the bank account information for the user shouldbe invoked, in the example, where this bank account service operates toprovide a view that will be aggregated at the aggregationpoint-of-contact with the employee benefits information and stockportfolio information). These results are also sent to the aggregationpoint-of-contact. If the aggregation point-of-contact receivesinformation that the user is not authenticated (or not authorized) forusing services in any of the security domains, then the view of thecorresponding service will not be included in the aggregated view (andthe corresponding service, which also receives this information, shouldnot supply content to the aggregator). In preferred embodiments of therelated invention, the aggregation point-of-contact provides theaggregated views as a portal page and the remote services are Webservices-based portlets; the local service is preferably deployed as aportlet as well. The related invention therefore enables seamlesslyintegrating Web services-based portlets, which may rely on differentsecurity mechanisms and which may be deployed by various third parties,within a common portal page or other aggregation.

Several of the industry standards which are leveraged by preferredembodiments of the related and present inventions will now be described.

A specification titled “Web Services Security (WS-Security), Version1.0” and published Apr. 5, 2002 (also referred to herein as“WS-Security” or “the Web services security specification”), draftedjointly by International Business Machines Corporation (“IBM”),Microsoft Corporation, and Verisign, defines techniques that may be usedfor Web services-based message security. A specification titled “WebServices Federation Language (WS-Federation)” and published Jul. 8, 2003(also referred to herein as “WS-Federation” or “the Web servicesfederation specification”), drafted jointly by IBM, MicrosoftCorporation, and Verisign, describes a model for integratingincompatible security mechanisms or security mechanisms that aredeployed within different domains. For example, suppose two businesspartners each implement public key encryption-based identityinfrastructures, or that one of the partners happens to implement aKerberos system while the other trading partners do not. WS-Federationoffers a roadmap for how to apply Web service technologies to tie thosesystems together, leveraging lower-level Web services securityspecifications that provide support for message security, policy, trust,and privacy.

Preferred embodiments of the related and present inventions alsoleverage the specification titled “Web Services for Remote PortalsSpecification, Version 1.0” (referred to hereinafter as WSRP”), whichwas approved as an OASIS (“Organization for the Advancement ofStructured Information Standards”) standard in August, 2003 foroperating within a distributed portal environment.

According to preferred embodiments of the related and presentinventions, each trust proxy is configured with routing information andpolicy declarations to ensure that messages are only sent to trustedparties (as determined by relationships which are preferably establishedout-of-band between the various domains). Alternatively, routinginformation may be propagated within the context of a SOAP message via astateless protocol such as the Web Services Routing protocol, defined in“Web Services Routing Protocol (WS-Routing)”, published Oct. 23, 2001 byMicrosoft Corporation. This protocol specification is referred to hereinas “WS-Routing”.

These above-described specifications, which do not disclose theinventive techniques of the related or present inventions, are herebyincorporated herein by reference.

Federated identity management according to the related invention allowsservices residing in disparate security domains to interoperate andcollaborate securely, irrespective of the differences in the underlyingsecurity mechanisms and/or operating system platforms. In effect, thesecurity mechanisms are programmatically tied together, or bridged, in atransparent manner in order to enable this interoperation and securecollaboration among services. Federated identity management is one ofthe key requirements for higher-level federation scenarios.

As an example of how other scenarios build upon federated identitymanagement, consider trading partners where each partner manages anautonomous and insular supply chain. Federating the vendor supply chainswould provide a greater degree of optimization across inventory,production, distribution, and transportation systems among the tradingpartners. This level of federation implies collaboration amongenterprise resource planning (“ERP”) systems and supply chain managementdecision support services hosted by the trading partners. For example,Acme Widgets company may buy inventory from Supplier A, which in turnbuys inventory from Supplier B. There may be a number of scenarios whereSupplier B could operate more efficiently with access to selectedinformation of downstream companies such as Acme Widgets. However, eachcompany's information technology systems typically provide securitymechanisms that restrict access to core business processes to entitiesthat are authenticated and determined to be authorized for this access.Without a flexible and interoperable means of federated identitymanagement, the efficiencies associated with highly-optimized,collaborative supply chains are untenable. Using federated identitymanagement, as disclosed in the related invention, the necessaryauthorizations can be granted and subsequently verified at run time, andcommunicating entities can be authenticated (including authenticationacross security domains) to ensure that the appropriate trading partners(and only those trading partners) can access one another's supply chainsin a seamless manner. (Many other federation scenarios can be imaginedthat require federated identity management and that will thereforebenefit from techniques of the related and present inventions.)

The present invention may be used in combination with an embodiment ofthe related invention to securely transmit identity managementinformation used when federating services within an aggregation point.Alternatively, an embodiment of the present invention may be used inother environments where it is necessary to provide context-sensitiveconfidential message transmissions in a federated environment.Accordingly, references herein to the related invention are by way ofillustration but not of limitation.

FIG. 2 provides a sample federated environment and is used to show howmessages may need to be exchanged among components when aggregatingservices in a federated environment. In this sample environment 200, auser 205 interacts with a distributed portal 210 that acts as thefederation entry point (also referred to herein as an aggregationpoint-of-contact) for end users. In this example, the distributed portalaggregates, within a common portal interface, content from servicesprovided by remote portlets 230, 260 and local portlet 245, where theseservices span multiple independent security domains (shown in the figureas local security domain 275 and remote security domains 270, 280). Asdisclosed in the related invention, a generic portlet proxy 215 isresponsible for protocol conversion of messages which are published bydistributed portal 210 to local trust proxy 235. The generic portletproxy 215 may, for example, convert HTTP requests used by portal 210 toWSRP-compliant SOAP messages that can be consumed at local trust proxy235 (and vice versa). (The term “generic portlet proxy”, as used in therelated invention and as used herein, refers to a portlet that acts asan intermediary between an application or software resource requesting aparticular service and a software resource providing that service.)

Thus, when distributed portal 210 publishes a message requestingauthentication of user 205 in the local security domain 275, local trustproxy 235 communicates with local authentication service 240, whichperforms the authentication. Assuming the user is authenticated locally,results of the authentication are passed by local trust proxy 235 toremote trust proxies 220 and 250, which in turn communicate with theirown local authentication services (identified in FIG. 2 as remoteauthentication services 225 and 255, respectively) to determine whetherthe user is authenticated in the remote domains. (As disclosed in therelated invention, the user for which services are to be federated mayhave varying security identities within the different security domains270, 275, 280. Thus, credential mapping may be carried out in the remotedomains when authenticating the user for that domain.)

Each of the authentication services 225, 240, 255 is shown in FIG. 2 ascommunicating authentication results to a corresponding portlet 230,245, 260, where a service will be performed for this user (assuming theuser is authenticated and authorized for that service). In addition,each authentication service preferably communicates authenticationresults to its local trust proxy, which in turn informs the distributedportal 210 as to whether the user is authorized to view content from therespective portlet. (These latter communications have not beenillustrated in FIG. 2.) With reference to the example discussed abovewhere a user wishes to view a page aggregating views of three services,local portlet 245 represents the employee benefits service, and remoteportlets 230 and 260 represent the bank account service and stockportfolio service.

The related invention used the term “relying” service to refer to WSRPremote portlet Web services that consume authentication information froma local or remote domain in order to provide a service to analready-authenticated user (or programmatic entity). According to thepresent invention, caching may be used to optimize authenticationoperations, whereby previously-determined authentications within aparticular context can be cached for some period of time, andnewly-arriving requests pertaining to cached authentications can thenleverage the cached information rather than performing theauthentication again. In addition, preferred embodiments may cacherouting information. Caching is discussed in more detail with referenceto FIG. 4.

The sample configuration in FIG. 2 is provided for purposes ofillustration and not of limitation. It may happen, for example, thatmore than more or fewer separate security domains exist in theconfiguration of an actual distributed portal scenario. (And, in somecases, a distributed portal scenario may include one or more remoteportlets that do not require authentication, in combination with one ormore remote portlets that do require authentication.)

Note also that while discussions of the present invention are in termsof a distributed computing environment that leverages a portal platformfor aggregation, the inventive concepts are applicable to other types ofcontent frameworks or aggregators which provide analogous functionality,and thus references to portals and their portlet paradigm is by way ofillustration and not of limitation.

As stated earlier, the related invention noted that end-to-end securityin a cross-domain environment of the type illustrated in FIG. 2 ispreferably provided to ensure that confidential information is notexposed to unintended third parties and that critical information is nottampered with while in transit between the security domains. However,techniques for providing context-sensitive confidentiality in afederated environment were not disclosed therein. Those techniques arethe subject of the present invention.

The manner in which preferred embodiments of the present inventionenable context-sensitive, confidential exchange of information amongautonomous security domains will now be described in more detail.

FIG. 3 shows participants on a generalized routing path used to transmita SOAP message between a message sender 300 and an ultimate messagereceiver 340, as well as several intermediaries 310, 320, 330 that maybe encountered along the path to message receiver 340. Intermediaries310, 320, 330 are referred to in FIG. 3 using the notation “TP/SI”, anabbreviation for “trust proxy/SOAP intermediary”, indicating that thesecomponents may serve as trust proxies of the type discussed above and/oras SOAP nodes that route a message along the path from sender 300 toreceiver 340. For example, TP/SI 310 might represent the local trustproxy 235 of FIG. 2, while TP/SI 320 represents remote proxy 220 andTP/SI 330 represents remote authentication service 225; and in thisexample, message sender 300 corresponds to generic portlet proxy 215(operating on behalf of distributed portal 210) and message receiver 340corresponds to remote portlet 230. (Note that when nodes 300-340 areidentified in FIG. 3 as SOAP nodes, this implies that a servicedescription is available for each node. In alternative embodiments,nodes other than SOAP nodes may be supported.)

To ensure that messages sent among the security domains are protected,security-sensitive portions of the messages are preferably encryptedbefore transmission. A particular intermediary may need access to one ormore of these security-sensitive portions of a transmitted message forperforming functions locally. For example, when an authenticationrequest is transmitted from generic portlet proxy 215 to local trustproxy 235, the local trust proxy needs to determine what is beingrequested of the local environment and also which, if any, remote trustproxies it must contact to perform remote authentication. If informationneeded by local trust proxy 235 in the message sent from generic portletproxy 215 is encrypted, then local trust proxy 235 must be able todecrypt that information. Local trust proxy 235 can then evaluate thatdecrypted information and, upon determining that remote trust proxies220 and 250 must be contacted, sends messages to those trust proxieswherein encryption is used to protect security-sensitive information asit travels to the remote security domains. (Similarly, trust proxies inthe remote domains may need to forward information to other receivers.Preferably, each trust proxy authenticates a digital signature onreceived messages to ensure the messages are authentic prior to carryingout further operations, as in the prior art.)

FIG. 4 illustrates logic that may be used in preferred embodiments forproviding context-sensitive confidentiality for message portions thatare transmitted among federation participants, and FIGS. 5 and 6 showsample syntax that may be used for message transmission.

The processing of FIG. 4 serves to establish fine-grained protection fortransmitted messages. Beginning at Block 400, when a message sender hasa message to be transmitted, preferred embodiments dynamically resolvethe target service description of the ultimate message receiver (whichis preferably specified as a WSDL specification), thereby determiningthe messages accepted by the receiver (and other information such as theapplicable message bindings). In addition, policy information ispreferably consulted to determine which portions of the message requiresecurity protection in this context. (Preferably, policy informationused by preferred embodiments is specified according to the WS-Securityspecification). In this manner, a coarse-grained view of securityrequirements is initially established in terms of the ultimate messagereceiver.

The security requirements may comprise confidentiality, integrity,and/or authentication requirements (and authorization requirements mayalso be specified). The term “quality of protection”, or “QoP”, is usedherein to refer generally to the security requirements that may bespecified in policy information.

As an example of confidentiality requirements, the policy may specifywhether portions of the message must be encrypted in this context (wherethe context preferably comprises at least an identification of themessage sender and receiver as well as the message type), and if so,what portions must be encrypted; additional confidentiality requirementsmay also be specified in the policy information, such as requiredencryption strength or an encryption algorithm that must be used in thiscontext.

As an example of message integrity requirements, the policy may specifywhether a digital signature must be computed, and if so, what messageportions should be included in a digest to be signed and how that digestshould be computed.

Authentication requirements and/or authorization requirements may alsobe specified in the policy. In preferred embodiments, the trust proxiesare responsible for ensuring that only authorized and valid messageexchanges from authenticated entities are allowed within theirrespective security domain, thereby providing cross-federationauthentication and authorization. For example, policy is preferablyconsulted to determine whether the message sender is authorized to sendthis message to this receiver.

Preferred embodiments leverage the generic portlet proxy shown atreference number 215 to coordinate context-sensitive confidentialityoperations on behalf of the distributed portal. Accordingly, operationsshown in FIG. 4 are preferably initiated by the generic portlet proxywhen the distributed portal has a message to be transmitted. As analternative approach, local trust proxy 235 may be responsible forcoordinating the confidentiality operations upon receiving a messagefrom the generic portlet proxy.

In Block 410, a determination is made as to what route this messageshould take to its ultimate receiver. The manner in which the route isdetermined may vary, and does not form part of the inventive conceptsdisclosed herein. As one approach, the route may be determined byconsulting policy information—which may contain tuples specifying amessage sender, message type, ultimate receiver, and corresponding path,for example. Routing optimizations may be applied, if desired for aparticular environment. In preferred embodiments, the generic portletproxy requests a route resolution from the local trust proxy. The localtrust proxy may, in turn, consult another entity that is responsible forroute selection. Or, the local trust proxy may consult one or more ofthe TP/SI components to determine a route to the ultimate messagereceiver. As yet another approach, a WS-Routing declarative routingstatement may be consulted to determine the route to be taken.

According to preferred embodiments, the XML Linking (“XLink”) languageis used as a means of representing message traversal path definitions.Once a route to be taken by a message has been determined, the traversalpath definition is preferably recorded at a Uniform Resource Locator(“URL”). By including that URL in a transmitted message, each receiverof the message can therefore consult the route definition to determineany next hop(s) for the message. The XLinking language is defined in“XML Linking Language (XLink) Version 1.0, W3C Recommendation 27 Jun.2001”, which is available from the W3C. XLink syntax is well known inthe art, and a discussion thereof is not deemed necessary to anunderstanding of the present invention. (A sample message header usingXLink notation to reference a stored route is described below withreference to FIG. 5.)

Once a route has been determined, it may optionally be cached orotherwise persisted (e.g., using a URL as discussed above) forsubsequent use. For example, a particular message sender may need tosend a series of messages to a message receiver, and if apreviously-determined route is available, then the route determinationcan be bypassed. (Preferably, route caching considers the message typeas well as the message sender and receiver; additional and/or differentfactors may be deemed pertinent in a particular environment.)

Preferred embodiments may also cache, at one or more nodes along a path,information comprising (1) whether the user is already authenticated tothe local service; (2) whether the user's authorization for this servicehas already been determined (e.g., by comparing the user's credentialsto stored policy information); and (3) which are the “next hops” in thispath (i.e., the neighboring nodes to which the message should berouted). Subsequently, if a message is received for analready-authenticated user whose authorization is already determined,the authentication and authorization-checking for that user can bebypassed.

As shown in Block 420, after determining the message route, a quality ofprotection overlay is then performed. In preferred embodiments, thiscomprises harvesting policy information for all intermediaries that willbe encountered along the selected route to the ultimate messagereceiver. Preferably, a WSDL specification for each of theintermediaries is consulted, and policy information of the intermediaryis thereby identified. Or, roles of each intermediary may be used whenlocating appropriate policy information. For example, policy may specifythat an intermediary in the role of routing entity is allowed only toview information pertaining to the selected route for the message orperhaps a subset of the route (such as an identification of the nexthop), while intermediaries in the role of trust proxy are allowed toview additional information. As another example, policy may specify thata trusted entity that caches content should be allowed to decryptselected portions of encrypted content within a transmitted message; or,if authentications are to be cached, as discussed earlier, then anencrypted message portion preferably contains the authenticationinformation to be decrypted by the trusted entity that performs thisauthentication caching. This policy information as to which messageportions should be accessible may be referred to as “entitlements” ofmessage recipients.

The policy information obtained at Block 420, along with the policyinformation obtained at Block 400, is then analyzed to resolve anyconflicts that may exist. (Conflict resolution, in this case, preferablyincludes using the most-restrictive or most-secure choice when multiplechoices are present.) In this manner, the generic portlet proxy candetermine the type(s) of fine-grained protection that are required forsecure, context-sensitive message transmission (i.e., providing theproper encryption, digital signatures, and so forth, as specified by thepolicy overlay, for transmitting this particular message on thisparticular route).

When a route between the message sender and receiver is available fromcache, as discussed above, then the intermediary-specific policyinformation (and corresponding conflict resolutions, if any) may also becached, thereby yielding further efficiencies in message transmissionwithout jeopardizing message confidentiality.

Once the appropriate security requirements for the message have beendetermined, a message reflecting those requirements is generated (Block430). Preferred embodiments enable a particular security-sensitivemessage portion to be encrypted for subsequent decryption by multiplereceivers. For example, each trust proxy 220, 235, 250 may need to knowan identifier of a portal page for which authentication is beingrequested as well as the user ID and password provided by the user foraccessing that portal page.

As stated earlier, even though the user's credentials may be differentin remote security domains 270, 280, transmitting the credentialsprovided for accessing local security domain 275 to those other domainsenables seamlessly retrieving the user's credentials for the remotedomains via credential mapping. Therefore, it is necessary to protectthe already-authenticated credentials that are in transit to the remotesecurity domains. A security token, as described in the WS-Securityspecification, may be used to specify information for secure messageexchanges among trusted parties, and in particular, to specify thecredentials to be transmitted among trusted parties. In a simple format,a security token according to this WS-Security specification uses a“UsernameToken” element to encapsulate a user name and optionalpassword. Depending on security policy, it may be desirable to encryptthe contents of this UsernameToken element. (Refer to the relatedinformation for a more detailed discussion of security tokens andexamples of their use. Encryption of the contents of this element,however, was not discussed in the related invention.)

Alternatively, there may be one or more security-sensitive messageportions to which only a single intermediary should be allowed access,and preferred embodiments also support this approach. Suppose, forexample, that generic portlet proxy 215 is adapted to specify onemessage portion containing routing information that is deemed to besecurity-sensitive (and that routing intermediaries that do not serve astrust proxies will need to decrypt this message portion), anothermessage portion containing security-sensitive information that is onlyto be decrypted by the local trust proxy, and yet another messageportion that is to be decrypted by the local and remote proxies.Embodiments of the present invention preferably enable each of thesemessage portions to be encrypted for its intended receivers (even thoughsome redundancy may result).

If the policy indicates that a selected message portion is to beencrypted in a manner that enables each trust proxy to decrypt thatmessage portion, for example, then the message portion is preferablyencrypted once for each intended trust proxy, preferably using a publickey of each intended trust proxy to separately encrypt the messageportion. (Public keys of entities may be readily obtained using priorart techniques.) Or, if the policy indicates that a only particular oneof the trust proxies (or perhaps one of the portlets) should have accessto a message portion, then that message portion is encrypted only once(preferably using a public key of the intended receiver).

One or more message digests and digital signatures may also be computedat Block 430, as required to carry out the fine-grained protection ofthe message according to security requirements specified by the policyoverlay, and the digital signature(s) are then preferably added to themessage.

Note that the encrypted message portions and any digital signature(s)included with the message must conform to the applicable schema for themessage (i.e., a valid message syntax must result). Preferredembodiments use XML Schema Definition (“XSD”) annotations to referencethe applicable schema within the SOAP message to be transmitted. Referto FIG. 6, which is discussed below, for an example of syntax that maybe used to protect selected message portions.

In Block 440, the context-sensitive confidential message is transmittedfrom the sender according to the determined route. Upon receipt at eachintermediary, the intermediary locates the message portions to which itcan obtain access, and when public key cryptography was used to encryptthose portions, the receiving intermediary uses its private key fordecryption.

FIG. 5 shows a sample SOAP header 500 that may be used for specifying areference to a path stored as an XLink, where a header of this type maybe appended to outbound SOAP messages to convey the path to be taken bythe message. This header 500 contains a <traversalPathRef> tag 505(which, in the example of FIG. 5, is prepended with a name spaceidentifier of “p” for “path”), and this <traversalPathRef> tag providesa reference 510 to a hypothetical linkset which stores more detailedinformation about the path (including identifiers of the nodes orintermediaries on the path). In the example of FIG. 5, the value of the“href” attribute 510 indicates that the traversal path information isstored in a linkbase document accessible using the URL“http://ibm.SampleRoute/linkbase/lb.xml”. This URL provides acommonly-accessible means for nodes receiving a message to reference thedetermined route, and the node can use that information to determinewhere it should forward the message.

FIG. 6 provides an example of syntax that may be used to protectselected message portions, wherein a message includes security-sensitiveinformation that has been encrypted for intended receivers that will beencountered along the message path to the ultimate message receiver.Preferably, a tag syntax is used for the messages. A sample syntax for amessage header 600 is shown in FIG. 6, and is for purposes ofillustration only.

A message type is preferably specified in the transmitted message, andmessage recipients (including intermediaries) preferably inspect thismessage type to determine whether the message should contain protectedsecurity-sensitive portions to be decrypted by that recipient. Seereference number 605, which indicates that this sample message header isfor a “contentRequest” message. The message may, for example, requestcontent from the employee benefits service, bank account service, andstock portfolio service in the federation scenario discussed earlier.(In this example, the message preferably contains distinct protectedcontent for each receiving service, such that only the bank accountservice has access to the user's bank account number and so forth,although this level of detail has not been illustrated in the samplemessage header in FIG. 6.)

The message preferably contains an element that an arbitrary messagerecipient (including intermediaries) can consult to determine where tofind message portions that are to be decrypted by the message recipient.Obviously, this particular element should be specified in the clear. InFIG. 6, a “<securityHeader>” element 610 is provided for this purpose,and contains a set of “<msgReceiver>” elements 615, 620 . . . which eachspecify information about a particular intended receiver or a set ofreceivers described by a particular role. In the example, a particularmessage receiver is identified in element 615 by its IP address and portnumber (i.e., “1.2.3.4:999”), and a set of receivers is identified inelement 620 by their role “remote trust proxy” (for purposes ofillustration). A “<receiverID>” and “<receiverRole>” tag, respectively,are used for these different types of information. Each “<msgReceiver>”element also contains a “<receiverTagName>” element that identifies thename of the tag where this intended receiver's security-protectedinformation may be found. Thus, the receiver identified by IP addressand port number in element 615 can find its protected information in thetag named “<1234Tag>”, which is shown at reference number 625.Similarly, the receiver(s) identified by role in element 620 can findprotected information in the tag named “<RTPTag>” (where “RTP” is usedas an abbreviation for “remote trust proxy”), and this tag is shown atreference number 630. In tags 625 and 630, the contained information maybe encrypted; it may contain digital signature information; and soforth. (As will be obvious once the teachings disclosed herein areknown, information of the type illustrated in FIG. 6 may be presented ina number of different ways without deviating from the scope of thepresent invention.)

Techniques which have been disclosed may be used advantageously forsecuring messages in many environments, including dynamic work flowscenarios where a target service provider may be unknown to the messagesender and/or may change over the course of a long-running transaction.For example, Acme Widget may desire to allow its supplier'ssupplier—which, in the above-described example, was Supplier B—to accessAcme's confidential information, even though the identity of Supplier Bwas not configured into Acme's information technology systems.Irrespective of uncertainties of this type, preferred embodiments enableaccess to sensitive information to be protected, determining the neededprotections in a flexible and efficient manner within messages thatremain independent of the federation topology.

Optionally, a set of public keys may be established, corresponding tothe entities or intermediaries to be encountered on a selected route. Anidentifier may be assigned to the set, such that a message sender caneasily request the key set associated with the route when preparing toencrypt message portions of a message to be transmitted on that route.

As has been demonstrated, the present invention provides advantageoustechniques for context-sensitive confidentiality within a federatedenvironment, enabling various receivers of a transmitted message toaccess aspects of the message without necessarily being able to accessthe entire message. Preferred embodiments leverage open standards. Notethat while particular standards (such as WS-Routing, SOAP, and so forth)have been referenced when describing preferred embodiments, this is forpurposes of illustrating the inventive concepts of the presentinvention: alternative means for providing the analogous functionalitymay be used without deviating from the scope of the present invention.

The term “service” as used herein includes a composite service, as wellas the sub-services which have been aggregated to form that compositeservice. The term “portlet” is used herein in an illustrative sense andincludes component implementations which adhere to component modelsother than the portlet model which has been illustrated.

Several commonly-assigned and co-pending inventions will now bediscussed, and will be distinguished from the teachings of the presentinvention.

Commonly-assigned and co-pending U.S. Patent Application 20030135628(Ser. No. 10/047,811; attorney docket RSW920010199US1), which is titled“Provisioning Aggregated Services in a Distributed ComputingEnvironment”, discloses techniques that enable heterogeneous identitysystems to be joined in the dynamic, run-time Web services integrationenvironment. This application, referred to herein as “the provisioninginvention”, is hereby incorporated herein by reference. A provisioninginterface was disclosed in the provisioning invention to enableautomatically and dynamically federating the heterogeneous identitysystems which may be in use among the services which are aggregated as acomposite service. Techniques disclosed therein allow users (whetherhuman or programmatic) to be seamlessly authenticated and authorized, or“identified”, for using the dynamically-integrated services. Accordingto the provisioning invention, this seamless identification may beprovided using a single sign-on, or “unified login”, for an aggregatedservice, wherein the provisioning interface of the aggregated servicecan be used to solicit all required information from a user at theoutset of executing the aggregated service. A “stacking” approach wasdescribed whereby user passwords (or other credentials, equivalently,such as tickets or digital certificates) to be provided to thesub-services of an aggregated service are encrypted for securelystoring. The sub-services are invoked in a specified order duringexecution, according to a definition that is preferably specified in theWeb Services Flow Language (“WSFL”), and the stacked passwords are thenunstacked and presented to the appropriate authentication orauthorization sub-service.

The present invention, by contrast, does not use stacking ofcredentials, and does not rely on a provisioning interface of a Webservice. In addition, a user of the present invention is not required toprovide credentials beyond those needed for the application or serviceto which the user is initially authenticated: credentials required forsubsequently-accessed services are determined dynamically, usingcredential mapping, as discussed above.

Commonly-assigned and co-pending U.S. Patent Application 20030163513(Ser. No. 10/081,300; attorney docket RSW920010213US1), which is titled“Providing Role-Based Views from Business Web Portals”, disclosestechniques for federating user profile information. This application,referred to herein as the role-based views application, also disclosestechniques for providing this user profile information using a singlesign-on approach, whereby identifying information obtained when a userbegins to use a portal can be programmatically obtained and used bysub-services of an aggregated service. A federated authentication of anend user is performed (as disclosed in the provisioning invention);security attributes (such as the user's role) which are relevant forauthorization are acquired, for this authenticated user; and profiledata associated with these security attributes is resolved. Refer tothis commonly-assigned application, which is hereby incorporated hereinby reference, for more information.

The role-based views application does not teach techniques forcontext-sensitive confidentiality as disclosed in the present invention.

The provisioning application and the role-based views application assumethat each Web service implements its own authentication andauthorization operations. As a result, the provisioning application andthe role-based views application do not address security domainscenarios where trust, authentication, and/or authorization authoritiesimplement a collective quality of protection spanning distributedservices. Enterprise computing environments are expected to deployapplications and services in interconnected and/or disparate domains toachieve desirable scaling, security, and/or other relevant operationalcharacteristics. This model, although not addressed in the provisioningapplication and the role-based views application, is supported byembodiments of the present invention.

As will be appreciated by one of skill in the art, embodiments of thepresent invention may be provided as methods, systems, or computerprogram products. Accordingly, the present invention may take the formof an entirely hardware embodiment, an entirely software embodiment, oran embodiment combining software and hardware aspects. Furthermore, thepresent invention may take the form of a computer program product whichis embodied on one or more computer-usable storage media (including, butnot limited to, disk storage, CD-ROM, optical storage, and so forth)having computer-usable program code embodied therein.

The present invention has been described with reference to flow diagramsand/or block diagrams of methods, apparatus (systems), and computerprogram products according to embodiments of the invention. It will beunderstood that each flow and/or block of the flow diagrams and/or blockdiagrams, and combinations of flows and/or blocks in the flow diagramsand/or block diagrams, can be implemented by computer programinstructions. These computer program instructions may be provided to aprocessor of a general purpose computer, special purpose computer,embedded processor, or other programmable data processing apparatus toproduce a machine, such that the instructions, which execute via theprocessor of the computer or other programmable data processingapparatus, create means for implementing the functions specified in theflow diagram flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in acomputer-readable memory that can direct a computer or otherprogrammable data processing apparatus to function in a particularmanner, such that the instructions stored in the computer-readablememory produce an article of manufacture including instruction meanswhich implement the function specified in the flow diagram flow or flowsand/or block diagram block or blocks.

The computer program instructions may also be loaded onto a computer orother programmable data processing apparatus to cause a series ofoperational steps to be performed on the computer or other programmableapparatus to produce a computer implemented process such that theinstructions which execute on the computer or other programmableapparatus provide steps for implementing the functions specified in theflow diagram flow or flows and/or block diagram block or blocks.

While preferred embodiments of the present invention have beendescribed, additional variations and modifications in those embodimentsmay occur to those skilled in the art once they learn of the basicinventive concepts. Therefore, it is intended that the appended claimsshall be construed to include preferred embodiments and all suchvariations and modifications as fall within the spirit and scope of theinvention.

1. A computer-implemented method of achieving context-sensitiveconfidentiality within a federated environment, the method comprising:determining a network route to be taken by a message to be transmittedin the federated environment; determining, prior to transmitting themessage over the network route, a plurality of nodes to be encounteredon the determined route; at least one portion of the message that issecurity-sensitive; and, for each of the nodes and each of thesecurity-sensitive portions, whether the node is entitled to access thesecurity-sensitive portion; selectively protecting, in the message priorto transmitting the message over the network route, each of the at leastone security-sensitive portion of the message for each distinct one ofthe nodes which is entitled to access the security-sensitive portion;creating a message receiver element for each of theselectively-protected at least one portion of the message and eachdistinct one of the nodes which is entitled to access theselectively-protected portion, the message receiver element identifyingthe node and providing a node-specific keyword corresponding to thenode; and transmitting the message on the determined network route, themessage receiver elements enabling each of the nodes to locate andaccess each security-sensitive portion which the node is entitled toaccess and preventing the node from accessing any security-sensitiveportion which the node is not entitled to access.
 2. The methodaccording to claim 1, wherein the selectively protecting furthercomprises encrypting at least one security-sensitive portion of themessage.
 3. The method according to claim 1, wherein the selectivelyprotecting further comprises computing a digital signature over at leastone security-sensitive portion of the message.
 4. The method accordingto claim 1, wherein determining the network route further comprisesconsulting stored policy to determine the network route to be taken forthe message.
 5. The method according to claim 1, wherein determining,for each of the nodes and each of the security-sensitive portions,whether the node is entitled to access the security-sensitive portionfurther comprises consulting stored policy for each of the nodes to beencountered on the determined route, the stored policy specifying accessrights of the nodes.
 6. The method according to claim 1,whereindetermining, for each of the nodes and each of the security-sensitiveportions, whether the node is entitled to access the security-sensitiveportion further comprises determining a role of the node and determiningwhether nodes in the determined role are entitled to access thesecurity-sensitive portion.
 7. The method according to claim 6, whereindetermining whether nodes in the determined role are entitled to accessthe security-sensitive portion comprises consulting stored policy forthe determined role, the stored policy specifying access rights of theroles.
 8. The method according to claim 1, wherein the selectivelyprotecting further comprises encrypting each of the at least onesecurity-sensitive portion of the message for each distinct one of thenodes which is entitled to access the security-sensitive portion, theencrypting enabling the node which is entitled to access thesecurity-sensitive portion to decrypt the selectively-protected portionand preventing other nodes from decrypting the selectively-protectedportion.
 9. The method according to claim 1, wherein the determinedroute is specified in the transmitted message.
 10. The method accordingto claim 1, wherein: the network route crosses a plurality of securitydomains in the federated environment; the transmitted message containsinformation identifying an authentication authority from a first of thesecurity domains and an identification of a sender of the message andindicates that the identified authentication authority has alreadyauthenticated the sender using security credentials thereof; and each ofthe plurality of nodes which receives the message in other ones of thesecurity domains bypasses authentication of the sender for the othersecurity domain, upon verifying authenticity of the identifiedauthentication authority and establishing that the identifiedauthentication authority vouches for the message.
 11. The methodaccording to claim 10, wherein the identified authentication authorityis determined to vouch for the received message if a digital signaturecomputed by the identified authentication authority and transmitted withthe message is determined, by the node receiving the message in the oneof the other security domains, to be valid.
 12. The method according toclaim 10, wherein the transmitted message contains security credentialsof the sender, the security credentials having been authenticated by theidentified authentication authority and protected in the transmittedmessage such that only authorized ones of the nodes receiving thetransmitted message in other ones of the security domains can access theprotected security credentials.
 13. The method according to claim 12,wherein the protected security credentials are encrypted using a publickey of each of the authorized ones of the nodes receiving thetransmitted message, such that each of the authorized ones can decryptthe protected security credentials using a corresponding private key.14. A system for achieving context-sensitive confidentiality within afederated environment, comprising: a computer comprising a processor;and instructions which are executable, using the processor, to implementfunctions comprising: determining a network route to be taken by amessage to be transmitted in the federated environment; determining,prior to transmitting the message over the network route, a plurality ofnodes to be encountered on the determined route; at least one portion ofthe message that is security-sensitive; and, for each of the nodes andeach of the security-sensitive portions, whether the node is entitled toaccess the security-sensitive portion; selectively protecting, in themessage prior to transmitting the message over the network route, eachof the at least one security-sensitive portion of the message for eachdistinct one of the nodes which is entitled to access thesecurity-sensitive portion; creating a message receiver element for eachof the selectively-protected at least one portion of the message andeach distinct one of the nodes which is entitled to access theselectively-protected portion, the message receiver element identifyingthe node and providing a node-specific keyword corresponding to thenode; and transmitting the message on the determined network route, themessage receiver elements enabling each of the nodes to locate andaccess each security-sensitive portion which the node is entitled toaccess and preventing the node from accessing any security-sensitiveportion which the node is not entitled to access.
 15. A computer programproduct for achieving context-sensitive confidentiality within afederated environment, the computer program product embodied on one ormore computer-readable storage media and comprising computer-readableprogram code for: determining a network route to be taken by a messageto be transmitted in the federated environment; determining, prior totransmitting the message over the network route, a plurality of nodes tobe encountered on the determined route; at least one portion of themessage that is security-sensitive; and, for each of the nodes and eachof the security-sensitive portions, whether the node is entitled toaccess the security-sensitive portion; selectively protecting, in themessage prior to transmitting the message over the network route, eachof the at least one security-sensitive portion of the message for eachdistinct one of the nodes which is entitled to access thesecurity-sensitive portion; creating a message receiver element for eachof the selectively-protected at least one portion of the message andeach distinct one of the nodes which is entitled to access theselectively-protected portion, the message receiver element identifyingthe node and providing a node-specific keyword corresponding to thenode; and transmitting the message on the determined network route, themessage receiver elements enabling each of the nodes to locate andaccess each security-sensitive portion which the node is entitled toaccess and preventing the node from accessing any security-sensitiveportion which the node is not entitled to access.
 16. The computerprogram product according to claim 15, wherein determining, for each ofthe nodes and each of the security-sensitive portions, whether the nodeis entitled to access the security-sensitive portion further comprisesconsulting stored policy for each of the nodes to be encountered on thedetermined route, the stored policy specifying access rights of thenodes.
 17. The computer program product according to claim 15, whereinthe selectively protecting further comprises encrypting each of the atleast one security-sensitive portion of the message for each distinctone of the nodes which is entitled to access the security-sensitiveportion, the encrypting enabling the node which is entitled to accessthe security-sensitive portion to decrypt the selectively-protectedportion and preventing other nodes from decrypting theselectively-protected portion.
 18. The computer program productaccording to claim 15, wherein: the network route crosses a plurality ofsecurity domains in the federated environment; the transmitted messagecontains information identifying an authentication authority from afirst of the security domains and an identification of a sender of themessage and indicates that the identified authentication authority hasalready authenticated the sender using security credentials thereof; andeach of the plurality of nodes which receives the message in other onesof the security domains bypasses authentication of the sender for theother security domain, upon verifying authenticity of the identifiedauthentication authority and establishing that the identifiedauthentication authority vouches for the message.
 19. The computerprogram product according to claim 18, wherein the identifiedauthentication authority is determined to vouch for the received messageif a digital signature computed by the identified authenticationauthority and transmitted with the message is determined, by the nodereceiving the message in the one of the other security domains, to bevalid.
 20. The computer program product according to claim 18, whereinthe transmitted message contains security credentials of the sender, thesecurity credentials having been authenticated by the identifiedauthentication authority and protected in the transmitted message suchthat only authorized ones of the nodes receiving the transmitted messagein other ones of the security domains can access the protected securitycredentials.